~hc/RK356X_SDK_RELEASE.git

..	..	@@ -114,7 +114,13 @@
114	114
115	115	if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) {
116	116	epid = svc_rspmsg->endpoint_id;
117		- if (epid < 0 \|\| epid >= ENDPOINT_MAX)
	117	+
	118	+ /* Check that the received epid for the endpoint to attach
	119	+ * a new service is valid. ENDPOINT0 can't be used here as it
	120	+ * is already reserved for HTC_CTRL_RSVD_SVC service and thus
	121	+ * should not be modified.
	122	+ */
	123	+ if (epid <= ENDPOINT0 \|\| epid >= ENDPOINT_MAX)
118	124	return;
119	125
120	126	service_id = be16_to_cpu(svc_rspmsg->service_id);
..	..	@@ -391,7 +397,7 @@
391	397	* HTC Messages are handled directly here and the obtained SKB
392	398	* is freed.
393	399	*
394		- * Service messages (Data, WMI) passed to the corresponding
	400	+ * Service messages (Data, WMI) are passed to the corresponding
395	401	* endpoint RX handlers, which have to free the SKB.
396	402	*/
397	403	void ath9k_htc_rx_msg(struct htc_target *htc_handle,
..	..	@@ -478,6 +484,8 @@
478	484	if (endpoint->ep_callbacks.rx)
479	485	endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv,
480	486	skb, epid);
	487	+ else
	488	+ goto invalid;
481	489	}
482	490	}
483	491